Link Shorteners in Phishing Attacks, Part II: How Many People Click on Phishing Attack Links?

As hard as cyber criminals try to hide their tactics, Cyveillance is able to learn a lot about these criminals’ behavior in aggregate in the course of providing our anti-phishing services. Yesterday we shared insights from our examination of phishing attacks that use shortened links to trick victims.

Today we delve deeper into data provided by Google’s URL Shortener API. Cyveillance submitted approximately one year‘s worth of goo.gl links that deliver visitors to phishing attacks to the URL Shortener API. This API tells us details like where visitors come from, what type of computers they tend to use, and more.

How Many People Click on Phishing Attack Links?

To define risk, we need to know how likely a problem is and its impact. But when it comes to phishing, it’s often hard to quantify how many people actually click the links in emails which deliver them to the phishing attack. Usually researchers need to beg the admins of compromised sites one at a time for the server log files so they can be analyzed. Even in the unlikely case the log files are delivered for examination, this approach doesn’t scale very well.

It can be argued that phishing attack links using goo.gl may not be like all phishing attacks. However, using Google’s API, we are able to quickly learn what happens in hundreds of such attacks.

We requested information for approximately 800 goo.gl links used in phishing attacks via the API. Data was returned for 590 of those. These 590 links lead to 387 unique phishing attack URLs on other servers. In the chart above, each dot represents a different phishing attack (you can click to enlarge it). We see that of the phishing attacks in our sample, most do not garner very many clicks. The average number of clicks each attack received was 1,410; however the median number of clicks was 290. This means half of all attacks received 290 or less clicks!

How Many Shortened Links Do Criminals Use in an Attack?

We were also able to compare the overlap in our sample of how many goo.gl URLs we saw lead whoever clicked it to the same attack destination.

By looking at the large spike on the right hand side of the chart above, we see that approximately 40 percent of phishing attacks use a single goo.gl used to deliver victims to a site. This helps us because it means that by and large, taking down a single goo.gl shortened link is likely to eliminate most, if not all, of the traffic that the phishing attack generates.

On the left hand side of the chart above, the small hill of space represents 30 percent of all attacks; these attacks had many goo.gl shortened links leading visitors to the ultimate attack URL. It appears that there is one group of criminals launching phishing attacks who use many goo.gl links to build in redundancy into their attacks. This makes it easier for their attacks to evade detection, remain online, and continue to make money for them longer.

More to Come

In tomorrow’s third and final blog post on this research, we will share what the data tells us about who clicks on phishing attack links. This intelligence has important implications in helping you decide where and how to spend resources to educate different groups on how they can avoid phishing attacks. See you tomorrow!

Our Anti-Phishing solution protects businesses from the earliest stages of a phishing attack, including pharming and malware, to the takedown and removal of phishing websites. Contact us for more information.